Okta-react does not seem to support response_type == code


I tried using https://github.com/okta/okta-oidc-js/tree/master/packages/okta-react to work with my company’s okta setup (which does not support other response types: OAuthError: The response type is not supported by the authorization server. Configured response types: [code].), but it doesn’t support response_type of code properly and always tries to read the token from the callback url that has the state/nonce instead of verifying they match and then making another request for the token. I think that it’s because of this line: https://github.com/okta/okta-oidc-js/blob/master/packages/okta-react/src/Auth.js#L42 which really should see if the response type is code and if so do something different.

My App is:

class App extends Component {
render() {
return (

<Security issuer={process.env.REACT_APP_ISSUER}
redirect_uri={window.location.origin + ‘/auth/callback’}
onAuthRequired={({history}) => history.push(’/login’)} >


Can't get any demos working

@mraible, can you take a look at this and let me know if you have any thoughts? Thanks, Mark


Hi @markj -

The okta-react library only supports the OAuth 2.0 Implicit Flow, so requesting an authorization code without a clientSecret or code_challenge (see PKCE) will throw an error from the API.

Therefore, only the following response_type values are permitted:

  • token
  • id_token
  • token id_token

To help us understand your use case a bit better, is there a specific reason you’re requesting a code over getting the tokens directly?


Thanks for the reply. I am checking with my admins as to why we only support the code response type.

Also, I tried changing the CustomLogin as follows after realizing that the default responseMode for the response type of code is query which will not work with parseFromUrl, but then I ended up in an infinite redirect loop:

export default withAuth(class CustomLogin extends Component {
render() {
this.props.auth.redirect({responseMode: ‘fragment’});
return null;